如何在CentOS 8上安裝Passbolt自主機密碼管理器

如何在CentOS 8上安裝Passbolt自主機密碼管理器

Passbolt是一個開源密碼管理器,可讓您安全地存儲和共享密碼。它是為中小型組織設計的,用於存儲登錄憑據並在團隊成員之間共享。它是自託管的,並且在社區版本和基於訂閱的版本中均可用。

本教程顯示了如何使用Nginx在CentOS 8上安裝Passbolt Password Manager和加密SSL。

先決條件

  • 運行CentOS的服務器8。
  • 指向服務器IP的有效域名。
  • 服務器具有root密碼。

安裝LEMP服務器

首先,使用以下命令安裝Nginx和MariaDB數據庫服務器:

dnf install nginx mariadb-server -y

接下來,您需要在服務器上安裝最新版本的PHP和其他必需的PHP擴展。默認情況下,最新版本的PHP在CentOS默認存儲庫中不可用。因此,您需要向系統中添加EPEL和REMI存儲庫。

您可以使用以下命令添加兩個存儲庫:

dnf install epel-release -ydnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

然後使用以下命令禁用默認的PHP存儲庫並啟用REMI存儲庫。

dnf module reset phpdnf module enable php:remi-7.4

然後運行以下命令以安裝具有其他必需依賴項的PHP。

dnf install php php-fpm php-intl php-gd php-mysqli php-json php-pear php-devel php-mbstring php-fpm git make unzip -y

安裝所有軟件包後,您需要編輯PHP-FPM配置文件,並將用戶和組更改為Nginx。

nano /etc/php-fpm.d/www.conf

更改以下行。

user = nginx
group = nginx

保存並關閉文件,然後更改會話目錄的所有權。

chgrp nginx /var/lib/php/session

然後啟動Nginx,MariaDB,PHP-FPM服務,以便可以使用以下命令在系統重新啟動時啟動它們:

systemctl start mariadb nginx php-fpmsystemctl enable mariadb nginx php-fpm

接下來,您需要在系統上安裝GNU PG擴展。您可以通過運行以下命令來安裝它。

dnf config-manager --set-enabled powertoolsdnf install gpgme-develpecl install gnupgecho "extension=gnupg.so" > /etc/php.d/gnupg.ini

然後重新啟動PHP-FPM服務以應用更改。

systemctl restart php-fpm

安裝作曲家

Composer是PHP的依賴管理器。必須安裝在系統上。

首先,使用以下命令下載Composer設置文件:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

然後使用以下命令安裝Composer:

php composer-setup.php --install-dir=/usr/local/bin --filename=composer

您應該獲得以下輸出:

All settings correct for using Composer
Downloading...

Composer (version 2.0.11) successfully installed to: /usr/local/bin/composer
Use it: php /usr/local/bin/composer

然後使用以下命令檢查Composer版本:

composer -V

您應該獲得以下輸出:

Composer version 2.0.11 2021-02-24 14:57:23

建立資料庫

接下來,您需要創建Passbolt數據庫和用戶。

首先,使用以下命令連接到MariaDB:

mysql

連接後,使用以下命令創建數據庫和用戶。

MariaDB [(none)]> CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;MariaDB [(none)]> GRANT ALL ON passbolt.* TO 'passbolt'@'localhost' IDENTIFIED BY 'password';

然後刷新特權並使用以下命令退出MariaDB:

MariaDB [(none)]> FLUSH PRIVILEGES;MariaDB [(none)]> EXIT;

完成後,您可以繼續下一步。

安裝和配置密碼

首先,將目錄更改為Nginx Web根目錄,並使用以下命令下載最新版本的Passbolt。

cd /var/wwwgit clone https://github.com/passbolt/passbolt_api.git passbolt

下載完成後,將目錄更改為passbolt並使用以下命令安裝所有必需的依賴項。

cd passboltcomposer install --no-dev

接下來,您需要先進行安裝才能生成GPG密鑰。首先,使用以下命令安裝Haveged:

dnf install haveged

然後使用以下命令啟動Haveged服務: systemctl已啟動

然後使用以下命令生成GPG密鑰。

gpg --full-generate-key

請仔細回答所有問題。如果提示您設置密碼,請將密碼字段留空。

gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Hitesh
Email address: [email protected]
Comment: Welcome
You selected this USER-ID:
    "Hitesh (Welcome) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A0448FECA43E1F9 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/40733A5076D11E86EF2FE5B51A0448FECA43E1F9.rev'
public and secret key created and signed.

pub   rsa2048 2021-03-12 [SC]
      40733A5076D11E86EF2FE5B51A0448FECA43E1F9
uid                      Hitesh (Welcome) <[email protected]>
sub   rsa2048 2021-03-12 [E]

警告:請記住上面生成的私鑰。

然後,使用以下命令將私鑰導出到serverkey_private.asc和serverkey.asc文件。

gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.ascgpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc

然後在passbolt目錄中設置適當的所有權。

chown -R nginx:nginx /var/www/passbolt

然後使用以下命令初始化Nginx密鑰環:

sudo su -s /bin/bash -c "gpg --list-keys" nginx

輸出:

gpg: directory '/var/lib/nginx/.gnupg' created
gpg: keybox '/var/lib/nginx/.gnupg/pubring.kbx' created
gpg: /var/lib/nginx/.gnupg/trustdb.gpg: trustdb created

然後重命名Passbolt默認配置文件。

cp config/passbolt.default.php config/passbolt.php

然後編輯passbolt.php文件以定義數據庫設置和基本URL。

nano config/passbolt.php

更改以下行。

                                'fullBaseUrl'=>'https://passbolt.linuxbuz.com',//數據庫配置。  '數據源'=> [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'password',
            'database' => 'passbolt',
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '40733A5076D11E86EF2FE5B51A0448FECA43E1F9',
                'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file then install the Passbolt with the following command:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt install --no-admin" nginx

You should get the following output:

All Done. Took 0.9595s

Import the server private key in the keyring
---------------------------------------------------------------
Importing /var/www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK

Passbolt installation success! Enjoy! ?

Configure Nginx for Passbolt

Next, you will need to create an Nginx configuration file for Passbolt. You can create it with the following command:

nano /etc/nginx/conf.d/passbolt.conf

Add the following lines:

server {
  listen 80;
  server_name passbolt.linuxbuz.com;
  root /var/www/passbolt;
  
  location / {
    try_files $uri $uri/ /index.php?$args;
    index index.php;
  }
  
  location ~ .php$ {
    fastcgi_index           index.php;
    fastcgi_pass            unix:/var/run/php-fpm/www.sock;
    fastcgi_split_path_info ^(.+.php)(.+)$;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param           SERVER_NAME $http_host;
  }
       
  location ~* .(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mpd)$ {
    access_log off;
    log_not_found off;
    try_files $uri /webroot/$uri /index.php?$args;
  }
}

Save and close the file then verify the Nginx for any syntax error:

nginx -t

Output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, restart the Nginx to apply the changes:

systemctl restart nginx

Secure Passbolt with Let’s Encrypt SSL

Next, you will need to install the Certbot client to install the Let’s Encrypt SSL for Passbolt. You can install it with the following command:

dnf install letsencrypt python3-certbot-nginx

Next, obtain and install an SSL certificate for your lets domain with the following command:

certbot --nginx -d passbolt.linuxbuz.com

You will be asked to provide your email address and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

----------- ------ ---- ---- ---- ---- ---- ---- --------- ------------------------- --- --------------------- --- --- --- --------------------- --- --- --- ------/letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf。 您必須同意在ACME服務器上註冊。你同意嗎?  ----------- ------ ---- ---- ---- ---- ---- ----(是/否:Y ---- ----- ----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----- ---- ---- ---- ----------------開發了Certbot,Let's Encrypt項目的創始合伙人已成功發布以共享您的電子郵件與非營利組織電子前沿基金會(Electron Frontier Foundation)進行通訊嗎? ―――――――――――――――――――――――――――――――――――――――――――――――――――― ―――――――――(是/否:是/否:已註冊Y帳戶。執行以下質詢以請求passbolt.linuxbuz.com證書。在http-01passbolt.linuxbuz.com上等待質詢驗證...挑戰清理VirtualHost將證書部署到/etc/nginx/conf.d/passbolt.conf重定向/etc/nginx/conf.d/passbolt.conf所有從端口80到ssl的流量----------- ----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----恭喜!您已成功啟用https://passbolt.linuxbuz.com。---- ---訂閱EFF郵件列表(電子郵件: [email protected])。重要說明:恭喜!證書和鏈存儲在以下位置:/etc/letsencrypt/live/passbolt.linuxbuz.com/fullchain.pem密鑰文件存儲在以下位置:/ etc / letsencrypt / live / passbolt .linuxbuz.com / privkey.pem證書將於2021-06-09過期。要將來獲得該證書的更新版本或微調版本,只需使用“ certonly”選項再次運行certbot。要以非交互方式更新所有*證書,請運行“ certbot續訂”-如果您喜歡Certbot,則捐贈給ISRG /讓我們加密:https://letsencrypt.org/donate EFF捐贈:https://eff.org/捐贈

使用Passbolt註冊用戶

接下來,您需要向Passbolt註冊用戶。您可以使用以下命令運行它:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt register_user -u [email protected] -f howtoforge -l Demo -r admin" nginx

您應該獲得以下輸出:

     ____                  __          ____  
    / __ ____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ / __ / / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    __,_/____/____/_.___/____/_/__/   

 Open source password manager for teams
---------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here: 
https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b

您可以使用上面的鏈接訪問Paabolt。

配置防火牆

接下來,您需要允許端口80和443通過防火牆。您可以使用以下命令運行它:

firewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcp

然後重新加載firewalld以應用更改。

firewall-cmd --reload

訪問Passbolt Web UI

然後打開網絡瀏覽器並輸入URL https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b..您將被重定向到下一頁。

在這裡,您需要下載並安裝Passbolt瀏覽器擴展並刷新頁面。顯示下一頁。

設置密碼

指定安全密碼,然後單擊 下一個 按鈕。顯示下一頁。

選擇一種顏色

選擇一種顏色,輸入您的安全令牌, 下一個 按鈕。您將被重定向到下一頁的Passbolt儀錶板。

密碼密碼管理器

結論

恭喜!您已經使用Nginx和Let’s Encrypt SSL在CentOS 8上成功安裝了Passbolt Password Manager。現在,您可以在組織中實施Passbolt,並安全地開始在團隊成員之間存儲和共享您的登錄憑據。

Sidebar